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Security Configuration Assessment (SCA) 


Getting Started Guide 


Security Configuration Assessment (SCA) is a lightweight cloud service which can quickly perform the 
configuration assessment of the IT assets, and centrally track compliance status of all your assets on basis 
of the Center for Internet Security (CIS) hardening benchmarks. 


It not only helps in continuously improving your configuration posture as per the latest CIS benchmarks 
but also helps in comparing the configuration posture in terms of various Industry standards like PCI- 
DSS, HIPAA, NIST and many more. 


Why SCA? 


Security configuration setting is an element of a software’s security that can be altered through the 
software itself. For example, an operating system offering access control lists that set the privileges that 
users have for files, and an application offering a setting to enable or disable the encryption of sensitive 
data stored by the application. A security configuration vulnerability involves the use of misconfigured 
security settings that could negatively impact security of the software. 

A good security configuration program like SCA would make it difficult for an attacker to exploit such 
configuration vulnerabilities. 


Add assets to SCA 


You can add the assets to SCA to track compliance status on. The host-scanning mechanism for SCA 
scans remote hosts and also auto discovers instances in case of instance-based technologies. 


Go to Assets > Host Assets. From the New 
menu, select IP Tracked Hosts, DNS © Qualys. ı 

Tracked Hosts or NetBIOS Tracked Hosts. Security Configuration Assessment v 
The tracking method you choose will be 
assigned to all of the hosts being added. 
Review the number of hosts you can add, 
enter the new IPs/ranges, and click Add. == Assets | Asset Groups Host Assets Asset Searc 


Dashboard Policies Scans Reports Assets Us 


New w || Search | Filters w 4 Display Comments | 


IP Tracked Hosts... 


DNS Tracked Hosts... 


info Tracking NetBIOS Tracked Hosts... 
A Remove IPs... 

A Export All. 

A Download... 

& 
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Looks like you have assets in VM app. Do you want to add these assets? 


Vulnerability Management v Simply, go to VM > Host Assets and 


IE select the assets you want to add to 
Dashboard Scans Reports Remediation Assets SCA 


a= Assets | Asset Groups Host Assets Asset Searc 


| New w | Search | Fitters v i Collapsed IP Mode | 


Edit 
Add to Asset Groups 


Remove from Asset Groups j 


Clear Selections }-10.10.24.255 


Using our revolutionary Qualys Cloud Agent platform you can deploy lightweight cloud agents to 
continuously assess your infrastructure for security and compliance. 


What are the steps Navigate to the Cloud Agent (CA) app and install the Cloud Agent in minutes. 


Refer to Qualys Cloud Agent Getting Started Guide. 


Import and Build CIS Policy 


Our out of the box CIS policies have controls pre-configured as per recommendations from the CIS and 
policy controls are optimized for performance, scalability, error handling and default conditions. You can 
customize values of the CIS checks as per your organization’s security policies or even enable/disable 
certain CIS checks for reporting. 


Simply go to Policies > Policies > New > Import CIS Policy. Click on the policy you want and then click 


Next. Follow the wizard to give your policy a name and click Create. Imported policy is Active by 
default. 
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Dashboard Policies Scans Reports Assets 


‘= Policies Policies 


| New w || Search | | Filters v | Compliance 


Import CIS Policy 


Processing Tasks 


Apache Tomc 


Download... 
B CIS - Apple Qu. renrrpercecepoowfed and Not Scored, Level 1] v.1.0 
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You can choose to show or hide individual controls in reports by activating or inactivating them from the 
Policy Editor. 


Policy Editor Tum help tips: On | off Launch Help 


Controls 


< Back to Overview 


Control: 
<| >) 1 Management Plane - Local Authentication, Authorization and Accounting (AAA) Rules 44 ji 


1-110f11 


Reference # CID Statement Technologies 


11 © 111 4357 Status of the ‘aaa new-model' configuration command on the device Edit | = 


412) @ 142 4358 Status of the ‘aaa authentication login’ configuration command on the device Edit | | Inactivate 


13 © 113 4359 Status of the ‘aaa authentication enable’ configuration command on the device Edit | | Inactivate 


Start collecting configuration data 


Scan your hosts to check the compliance of your systems against your CIS policies. Your SCA scans and 
collects the data as required by the CIS policy, then the Qualys Cloud Platform analyzes and correlates it. 


Before you start the scan: 

e Add authentication records for your assets (Windows, Unix, etc). 

e Use the option profile with recommended settings provided by Qualys (Compliance Profile) or create 
a new profile and customize the settings. 

e Configure a physical scanner or virtual appliance, or scan remotely using Qualys scanner appliances. 


It's simple to start your scan. Go to Scans > New > Scan, and tell us which IPs to scan, which scan 
options to use, and which scanner is right for the job (if you have scanner appliances that is). 


Launch Compliance Scan Tum help tips: On | Off Launch Help 


General Information 


Give your scan a name, select a scan profile (a default is selected for you with recommended settings), and choose a scanner from the Scanner Appliance menu for internal scans, if 
visible. 


Title: Apache Tomcat 
Compliance Profile: Apache Tomcat 7 


Scanner Appliance: Scanner Appliance not available 


Choose Target Hosts from 
Tell us which hosts (IP addresses) you want to scan. 
® Assets Tags 
Asset Groups Apache Tomcat 7.0. x 
IPs/Ranges 
e: 192.168.0.87-192. 168.0.02, 192.168.0.200 
Exclude IPs/Ranges *h Select 


mpe: 192.168.0.87-102.168.0.02, 192.168.0.200 


Notification 


Send notification when this scan is finished 


Launch Cancel 
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Generate Report 


Your SCA report shows you up to date compliance © Qualys. Express 
posture against the CIS benchmarks, references to z : 
compliance standards (PCI-DSS, HIPAA, NIST and Security C ouiuuationAssossnoni 
more), Qualys provided control criticality and Dashboard 
remediation information. 


Policies Scans Reports 


Go to Reports > Reports > New and select either Schedules Templ 
Authentication Report or Policy Report. Define the 
format and source of your report and click Run. 


| Authentication Report 
You can also quickly generate reports from the scan Policy Report 
list or policy list directly. Just choose a scan or O p Policy ref 
policy from your list and click the icon for Run Diei 


Report in the Generate Report column. m Aa 


Dashboard Policies Scans Reports Assets Users 


(9) SLUGE Scans Schedules Appliances Option Profiles Authentication Setup 


v | New w | | Search | Filters w |< My Scans | ] | 1-20 0f 40 


~ Targets Reference Date Status 


LJ @ Windows 10 20170803 10.10.36.98 compliance/1501796495.57828 08/04/2017 Finished 


! @ Windows 10 10.10.24.151, compliance/1501798122.57835 08/04/2017 Finished 
10.10.36.98, 
10.10.36.123, 10.1... 


U @ Windows 10 10.10.36.98 compliance/1501791783.57821 08/04/2017 Canceled 


(1.3) 1072 Status of the 'Minimum Password Age' setting 


Access Control Requirements n : 
Authentication/Passwords You can remediate the failed 


d controls, per Qualys provided 

0 control criticality and the control 
remediation information. 
0 

0 


Approved Exceptions 
Pending Exceptions: 
indows Server 2012 R2 


10.10.10.86 (2012r2dtr-10-86, 2012R2DTR-10-86) 


Evaluation cate 04/15/2017 at 14:36:17 (GMT-0700)| 


Os: Windows Server 2012 R2 Datacenter 64 bit Editon 
Last Scan Date: 04/14/2017 at 13:24:48 {(GMT-0700) 

Tracking Method: IP 

Asset Tags: 

Windows 2012 


‘The following Integer value X indicates the current status of the ‘Minimum Password Age" (min_pass_age) within the Computer Configuration\Windows 
Settings\Security Settings\Account Policies\Password Policy\Minimum password agesetting for local accounts. 


Expected greater than or equal to 
1 


‘OR, any of the selected values below: 
Attribute not found 
Unable to retrieve password policy 


Actual Updated:04/14/2017 at 13:24:48 (GMT-0700) 


Remediation: To establish the recommended configuration via GP, set the following UI path to 1 or more day(s): Compute 
Configuration\Policies\Windows Settings\Secuntty Settings\Account Policies\ Password Poli linimum 
nassword ane 
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We also show compliance mapping to standards like PCI, NIST, HIPPA, etc. in the report. 


10167 Status of the System Integrity Protection security policy 
Category: OS Security Settings 
Sub-Category: System Settings (OSI layers 6-7) 


Sub-Category: i psa Card Industry Data Security Standard (PCI-DSS) v3.2 3.2&sect; 6.6 aco pano iral 
web applications, address new threats and vulnerabilities on an ongoing basis 
applications are protected against known attacks). 
NIST Cyber Security Framework (NIST CSF) 1.0&sect; PR. 28 (Integrity checking mechanisms 


are used to verify software, firmware, and information 

Health Insurance Portability and Accountability (HIPAA) Security Rule 45 CFR Parts 160/164, 
Subparts A/C: 1996&sect; 164.312(c)(1) (Integrity). 

Health insurance Portability and Accountability (HIPAA) Security Rule 45 CFR Parts 160/164, 
Subparts A/C: 1996&sect; 164.312(c)(2) (Mechanism to authenticate electronic protected health 
information (Addressable )). 

Health Insurance Portability and Accountability (HIPAA) Security Rule 45 CFR Parts 160/164, 
Subparts A/C: 1996&sect; 164.312(e)(2)(i) (Integrity controls (Addressable)). 

This control is associated with the following documents: 

5.18 
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